Pointing the AWS Lambda code bucket to a bucket in a different account

1
votes

I have a requirement to deploy the same lambda in a different AWS accounts. To avoid having two code buckets with the same content, I would like to point, let's say account B lambda, to account A S3 code bucket. I tried several approaches and tips on the AWS forums, without success. Here is a glimpse over the config I am using, as Cloudformation templates.

Here is the lambda role:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'lambda role'
Resources:
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: LambdaRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: LambdaFullAccess
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - "longListOfActions"
            - "s3:*"
            Resource: 
            - '*'
Outputs: 
  LambdaRoleARN: 
    Value: 
      Fn::GetAtt: 
        - "LambdaExecutionRole"
        - "Arn"

Here is the Lambda template:

AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda for subscriptions
Parameters:
  LambdaBucket:
    Type: String
  TheRoleARN:
    Type: String
Resources:
  MyLambda:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: java11
      FunctionName: handler
      MemorySize: 3008
      Timeout: 180
      Role: !Ref 'TheRoleARN'
      Handler: com.project.Handler
      Code:
        S3Bucket: !Ref 'LambdaBucket'
        S3Key: handler.jar

Finally, here is the bucket policy on Account A:

{
    "Version": "2012-10-17",
    "Id": "Policy1608150492429",
    "Statement": [
        {
            "Sid": "Stmt1608150488840",
            "Effect": "Allow",
            "Principal": {
                "AWS": "Account-B-Lambda-Role-ARN"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::the-code-bucket/*"
        }
    ]
}

To summarize, here are the steps I followed:

  • create the lambda role on account B
  • add a bucket policy with the account B lambda role on account A
  • attempt to create lambda on account B which result in failure:
Your access has been denied by S3, please make sure your request credentials have permission to GetObject for the-code-bucket/handler.jar. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: abd49370-e172-4fc9-9348-804cc7ff5e23; Proxy: null)

This is clearly a permissions issue. Any suggestions are welcome.

Thanks.

1
amazon-web-servicesamazon-s3aws-lambdaamazon-iam

1 Answers

2
votes

Lambda is going to use your IAM user/role to access the zip in different account, not your function's role. So you have to allow IAM users to access it, which is done using the following bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1608150492429",
    "Statement": [
        {
            "Sid": "Stmt1608150488840",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<Account-B-Id>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::the-code-bucket/*"
        }
    ]
}